Hostname: page-component-586b7cd67f-gb8f7 Total loading time: 0 Render date: 2024-12-02T19:20:34.710Z Has data issue: false hasContentIssue false

Privacy and Security Issues with Mobile Health Research Applications

Published online by Cambridge University Press:  01 January 2021

Abstract

This article examines the privacy and security issues associated with mobile application-mediated health research, concentrating in particular on research conducted or participated in by independent scientists, citizen scientists, and patient researchers. Building on other articles in this issue that examine state research laws and state data protection laws as possible sources of privacy and security protections for mobile research participants, this article focuses on the lack of application of federal standards to mobile application-mediated health research. As discussed in more detail below, the voluminous and diverse data collected by some independent scientists who use mobile applications to conduct health research may be at risk for unregulated privacy and security breaches, leading to dignitary, psychological, and economic harms for which participants have few legally enforceable rights or remedies under current federal law. Federal lawmakers may wish to consider enacting new legislation that would require otherwise unregulated health data holders to implement reasonable data privacy, security, and breach notification measures.

Type
Symposium Articles
Copyright
Copyright © American Society of Law, Medicine and Ethics 2020

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

See Tovino, S.A., “Mobile Research Apps and State Research Laws,” Journal of Law, Medicine & Ethics 48, Supp. 1 (Supp.) (2020): 82-86; Tovino, S.A., “Mobile Research Apps and State Data Protection Statutes,” Journal of Law, Medicine & Ethics 48, Supp. 1 (2020): 87-93.CrossRefGoogle Scholar
See, e.g., Tufekci, Z., “The Latest Data Privacy Debacle,” New York Times, January 30, 2018 (discussing Strava, the mobile exercise application that inadvertently revealed the secret locations of American military bases and service members); Opperman v. Path, Inc., 205 F.Supp.3d 1064, 1073 (N.D. Cal. 2016) (explaining that the Yelp mobile application exceeded the scope of its users’ consent when it uploaded its users’ contacts data without explicit permission).Google Scholar
See, e.g., Rothstein, M.A., “Ethical Issues in Big Data Health Research,” Journal of Law, Medicine & Ethics 43, no. 2 (2015): 425-428. (discussing the psychological and dignitary harms that are associated with the loss of privacy in the context of big data health research).CrossRefGoogle Scholar
World Medical Association, Declaration of Helsinki, General Principles, ¶ 9 (1964).Google Scholar
Id., Preamble, ¶ 2.Google Scholar
Council for International Organizations of Medical Sciences, International Ethical Guidelines for Health-Related Research Involving Humans, Guideline 22 (4th ed. 2016) (“Use of Data Obtained from the Online Environment and Digital Tools in Health-Related Research”).Google Scholar
45 C.F.R. § 46.111(a)(7).Google Scholar
See Rothstein, M.A., Wilbanks, J.T., and Brothers, K.B., “Citizen Science on Your Smartphone: An ELSI Research Agenda,” Journal of Law, Medicine & Ethics 43, no. 2 (2015): 897-902. (explaining that virtually all American academic and health care institutions that conduct human subjects research are regulated by the Common Rule but that “research undertaken by independent entities or individuals, including citizen scientists, is not subject to the Common Rule.”).CrossRefGoogle Scholar
See Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 42 U.S.C.) [hereinafter HIPAA], amended in part by Health Information Technology for Economic and Clinical Health Act, Pub. L. No. 111-5, 123 Stat. 115, 226 (codified as amended in scattered sections of 42 U.S.C.) [hereinafter HITECH]. HHS’s privacy regulations, which implement section 264(c) of HIPAA, are codified at 45 C.F.R. Part 164, Subpart E (45 C.F.R. §§ 164.500-.534). HHS’s security regulations, which implement section 262(a) of HIPAA [42 U.S.C. § 1320d–2(d)(1)], are codified at 45 C.F.R. Part 164, Subpart C (45 C.F.R. §§ 164.302-.318). HHS’s breach notification regulations, which implement section 13402 of HITECH [42 U.S.C. § 17932], are codified at 45 C.F.R. Part 164, Subpart D (45 C.F.R. §§ 164.400-.414).Google Scholar
See 45 C.F.R. §§ 164.500-.534, §§ 164.302-.318, and §§ 164.400-.414 (setting forth the privacy, security, and breach notification obligations of covered entities and business associates under the HIPAA Rules).Google Scholar
See HIPAA, supra note 13, § 242 (adding 42 U.S.C. § 1320d-5 (establishing civil penalties for violations of the HIPAA Rules); 42 U.S.C. § 1320d-6 (establishing criminal penalties for violations of the HIPAA Rules); HITECH, supra note 13, § 13410(d) (revising the amount of the civil penalties authorized by HIPAA).Google Scholar
See 45 C.F.R. § 160.103 (defining covered entity); id. § 160.102(a) (applying the HIPAA Rules to covered entities).Google Scholar
See id. § 160.103 (defining business associate); id. § 160.102(b) (applying the HIPAA Rules to business associates).Google Scholar
See, e.g., Terry, N.P. and Gunter, T.D., “Regulating Mobile Mental Health Apps,” Behavioral Sciences and the Law 36, no. 1 (2018): 136-144. (“[Mobile medical applications] tend to be developed outside of traditional health care spaces with the result that they exist in a lightly regulated, ‘HIPAA-free zone.’”); Rothstein, Wilbanks and Brothers, supra note 12 (“[R]esearch undertaken by an individual or entity that is not a HIPAA-covered entity, such as a citizen scientist, is not required to follow federal privacy rules); Rothstein, M.A., “The End of the HIPAA Privacy Rule?” Journal of Law, Medicine & Ethics 44, no. 2 (2016): 352-358 (“Among the reasons for the Privacy Rule’s disrepute, especially among privacy advocates, is its limited coverage; it applies only to ‘covered entities’…”); Cohen, I.G. and Mello, M.M., “HIPAA and Protecting Health Information in the 21st Century,” JAMA Online First, May 24, 2018 (“HIPAA attaches (and limits) data protection to traditional health care relationships and environments. The reality …is that HIPAA-covered data form a small and diminishing share of the health information stored and traded in cyberspace.”); Cohen, I.G. and Mello, M.M., “Big Data, Big Tech, and Protecting Patient Privacy,” JAMA Online First, August 9, 2019 (“HIPAA is a 20th-century statute ill equipped to address 21st-century data practices.”).CrossRefGoogle Scholar
45 C.F.R. §§ 164.502-.514.Google Scholar
Id. §§ 164.520-.528.Google Scholar
Id. § 164.530.Google Scholar
Id. § 164.508(a)(1) (establishing the prior written authorization requirement); id. § 164.512(i)(1)(i)-(iii) (establishing three research-related exceptions to the authorization requirement); id. § 164.514(e) (establishing a fourth research-related exception to the authorization requirement involving research uses and disclosures of limited data sets).Google Scholar
See, e.g., Ben-Shahar, O. and Schneider, C.E., More Than You Wanted to Know: The Failure of Mandated Disclosure (2014) (arguing that mandated disclosures routinely fail to achieve their desired goals).CrossRefGoogle Scholar
See, e.g., Rothstein, M.A., “Improve Privacy in Research by Eliminating Informed Consent? IOM Report Misses the Mark,” Journal of Law, Medicine & Ethics 37, no. 3 (2009): 507-512 (arguing that a recommendation of the Institute of Medicine that would automatically convert all patients into research subjects without their knowledge or consent denigrates respect for autonomy).CrossRefGoogle Scholar
But see Cohen and Mello, “Big Data, Big Tech, and Protecting Patient Privacy,” supra note 18 (“Patients could be presented with a blanket ‘front door’ authorization form and choose to sign or withhold permission. However, this approach may prove to be mere ethical window dressing. HIPAA appropriately calls such a process authorization, not consent, because patients are rarely given the information and opportunity to ask questions needed to give meaningful informed consent to future uses of their data. Even if those problems could be overcome, it is asking a great deal of patients to imagine and assess how their information may be used and what the risk of re-identification may be.”) (internal references and citations omitted).Google Scholar
45 C.F.R. § 164.508(c)(1)-(2) (listing the core elements and required statements of a HIPAA-compliant authorization form).Google Scholar
See U.S. Dep’t Health & Human Servs., Guidance on HIPAA and Individual Authorization of Uses and Disclosures of Protected Health Information for Research 21st Century Cures Act of 2016 Mandate (June 2018) (responding to the 21st Century Cures Act’s mandate that the Secretary of HHS publish guidance regarding future research authorizations).Google Scholar
45 C.F.R. § 164.508(c)(1)-(2).Google Scholar
See Moore, S. et al., “Consent Processes in Mobile App Mediated Research: Systematic Review,” Journal of Medical Internet Research mHealth and uHealth 5, no. 8 (2017): E126 (showing how Duke University uses a mobile research application to deliver mandated disclosures to remotely located research participants and to obtain their electronic signatures).CrossRefGoogle Scholar
45 C.F.R. § 164.308.Google Scholar
Id. § 164.310.Google Scholar
Id. § 164.312.Google Scholar
Id. § 164.306(a)(1)-(2).Google Scholar
Id. § 164.308.Google Scholar
Id. § 164.310.Google Scholar
Id. § 164.312.Google Scholar
Id. §§ 164.400-.414.Google Scholar
Id. § 164.402 (defining breach).Google Scholar
Id. (defining uPHI).Google Scholar
Id. § 164.404(a)(1).Google Scholar